b'December 20, 2001\n\n\nThe Honorable Michael M. Reyna\nChairman of the Board and\n Chief Executive Officer\nFarm Credit Administration\n1501 Farm Credit Drive\nMcLean, Virginia 22102-5090\n\nDear Mr. Reyna:\n\nThe Office of the Inspector General completed an inspection of the Farm Credit Administration\xe2\x80\x99s\n(FCA) Personnel Security Program. The objective of this inspection was to evaluate the\nprogress made in addressing seven suggested actions contained in an OIG Management Letter\nto strengthen FCA\xe2\x80\x99s Personnel Security Program, dated May 10, 1999.\n\nWe found that management addressed the suggested actions made in the OIG Management\nLetter. However, employees have not always been following the procedures that were revised\nto address the weaknesses found in the letter. Further, we found the personnel security\nprogram at FCA still lacks emphasis on its importance to the Agency.\n\nWe performed the inspection following the President\xe2\x80\x99s Council on Integrity and Efficiency\nQuality Standards for Inspections. We conducted fieldwork from August 21 through October 24,\n2001. We provided a preliminary discussion draft report to program officials on November 21st\nfor their review. We issued the final draft report on December 7th. Finally, we held an exit\nconference and discussed the final draft report with Phil Shebest, Chief Administrative Officer,\nthe appropriate OCAO employees, the Chief Operating Officer, and the Audit Followup Official\non December 19, 2001. Where actions were presented to the OIG that would resolve the\nweaknesses found in the findings, the recommendation was changed to an agreed upon action.\nThe report has an appendix with an organizational chart. Due to privacy concerns, the appendix\nwill only be distributed to Board Members, the Chief Operating Officer, and the Chief\nAdministrative Officer.\n\nIf you have any questions about this inspection, I would be pleased to meet with you at your\nconvenience.\n\nRespectfully,\n\n\nStephen G. Smith\nInspector General\n\x0cPersonnel Security\n         Program\n\n            01-06\n\x0c                                        TABLE OF CONTENTS\n\n\n\n\nBACKGROUND                                                          4\n\nPersonnel Security Program                                          4\n  OIG Management Letter on Personnel Security                       4\n\nOBJECTIVE AND SCOPE                                                 4\n\nFINDINGS AND RECOMMENDATIONS                                        5\n\nPersonnel Security Policies and Procedures Are Thorough             5\n  Agreed Upon Action                                                5\n\nPersonnel Security Program Still Lacks Importance                   6\n  Internal Procedures Are Not Always Being Followed                 6\n  Personnel Security Records Were Inaccurate                        7\n  PSO Performance Standards Need Strengthening                      7\n  Internal Control Reviews Are Not Being Conducted                  8\n  PSO Has Not Been Provided Sufficient Training                     8\n  Agreed Upon Action                                                8\n\nPosition Sensitivity Levels Need Updating                           8\n  Agreed Upon Actions                                               9\n\nPersonnel Security Duties Are Not Being Performed for All Workers    9\n  FCA Board Members                                                  9\n  FCA Contractors                                                   10\n  Agreed Upon Actions                                               10\n\x0c BACKGROUND\n\n         The Farm Credit Administration (FCA or Agency) is an independent Federal financial regulatory\n         agency. FCA has regulatory, examination and supervisory responsibilities for the Farm Credit\n         System (System) banks, associations, and related institutions. FCA employs less than 300 people.\n         Personnel related costs account for about 81 percent of the Agency\xe2\x80\x99s $36.8 million fiscal year 2001\n         budget.\n\nPersonnel Security Program\n\n         All persons obtaining Federal employment are required to have a background investigation\n         conducted to ensure the applicant meets suitability requirements. Suitability is based on an\n         individual\xe2\x80\x99s character or conduct that may have an impact on the integrity or efficiency of service.\n         The depth of the background investigation is determined by the sensitivity and risk level of the\n         position the individual seeks.\n\n         Individual agencies are delegated the authority to maintain their own personnel security program in\n         accordance with regulations and guidelines provided through the Office of Personnel Management\n         (OPM) at 5 CFR 731 and 732. FCA employees hold positions of public trust. All FCA positions are\n         rated low, moderate or high risk according to the criteria for risk rating of public trust positions.\n         According to our analysis, there are currently 51 sensitive positions. Of these, 19 positions should\n         be designated as high risk (including one vacant position) and 32 positions should be designated\n         as moderate risk. The remaining FCA employees are in low risk or nonsensitive positions.\n\n         OIG Management Letter on Personnel Security\n\n         On May 10, 1999, the Office of Inspector General (OIG) issued a management letter as a result of\n         work performed in connection with an investigation. This letter detailed the weaknesses found in\n         the personnel security program at that time. In this management letter, seven suggested actions\n         were made to improve FCA\xe2\x80\x99s personnel security program. The management letter focused on\n         weaknesses in performing timely background investigations and in determining proper sensitivity\n         levels for Agency positions.\n\n\n OBJECTIVE AND SCOPE\n\n\n         The objective of this inspection was to determine if the FCA made progress in improving the\n         personnel security program by adopting previously reported suggested actions in the OIG\n         management letter. We reviewed records, current regulations and guidelines on personnel\n         security, FCA policies and procedures, and conducted interviews with appropriate Office of\n         Administrative Officer (OCAO) staff to determine the progress. We also reviewed employee\n         listings and personnel files to determine the accuracy and completeness of records. OCAO\n         currently has the responsibility for the personnel security function. Previously, this work was the\n         responsibility of the former Office of Resources Management (ORM), Human and Administrative\n         Resources Division (HARD). In the following sections, the previous suggested actions are re-\n         stated (similar actions grouped together) along with our findings. Included in our findings are\n         1) actions taken in response to our previous management letter, 2) the status of the current\n         program, and 3) recommendations or agreed upon actions to improve areas where we found\n         weaknesses still exist.\n\x0c      FINDINGS AND RECOMMENDATIONS\n\n    Personnel Security Policies and Procedures Are Thorough\n\n                                                The OCAO has taken action on both internal operating procedures and\n                                                the Agency policies and procedures manual (PPM) to better provide\n                                                guidance and show clear program responsibilities for the personnel\n     OIG Management Letter                      security process. The changes to OCAO\xe2\x80\x99s internal procedures include:\n       Suggested Actions\n                                                                   The personnel management specialists\xe2\x80\x99 (PMS or\n#2 Create clear individual and program                specialist) responsibility to send all SF-52s (Requests for\nresponsibilities, procedures and timelines to         Personnel Action) immediately on approval to the Personnel\nensure the program is completely and                  Security Officer (PSO) for sensitivity designation.\naccurately operated.                                               The specialists\xe2\x80\x99 responsibility to discuss personnel\n                                                      security issues with managers when reviewing personnel actions.\n                                                                   The PSO\xe2\x80\x99s duties, responsibilities and procedures\n#3 Personnel security files of HARD                   are clearly stated.\nshould be transferred to the ORM                                   OCAO added the requirement for applicants to\nDirector in compliance with the Agency                submit the form OF-306 \xe2\x80\x9cDeclaration for Federal Employment\xe2\x80\x9d\nPPM 825 or the PPM should be revised                  before they are offered a position at FCA which includes\nto allocate safekeeping of the files in               background questions previously, but no longer, included in the\nanother area in compliance with applicable            standard government employment application (SF-171).\nguidelines.\n                                                With only a minor exception, we found the updated internal policies and\n                                                procedures are detailed and clearly define individual responsibilities and\n                                                operating procedures (organizational title changes need updating in\n                                                OCAO\xe2\x80\x99s policies and procedures).\n\n                    Similarly, our review of the FCA PPM on personnel security (No. 825) found only minor exceptions:\n\n                    --   The organizational titles are outdated.\n                    --   The section, \xe2\x80\x9cEstablishing New Positions,\xe2\x80\x9d should be updated to match OCAO\xe2\x80\x99s internal\n                         procedures that state security designations will be determined immediately upon receiving\n                         SF-52s.\n\n                    FCA PPM 825 addressed the need to maintain the PSO and alternate PSO security files\n                    separately. The PSO and alternate PSO are the only persons who have access to the safe where\n                    all FCA employee security files are kept. The individual files of the PSO and alternate PSO should\n                    be kept under the control of someone other than themselves. Although these files do not contain\n                    investigative reports or findings material, our discussions with OPM\xe2\x80\x99s Investigations Service\n                    suggest that these employees\xe2\x80\x99 security files should be kept under separate control regardless of\n                    the materials included in the files.\n\n                    Finally, we reviewed the delegations of authority for PSO responsibilities. The Agency delegation\n                    of authority (Del-12, dated July 16, 1998) is outdated for organizational titles, employee names and\n                    Agency PPM number reference. The OCAO delegation is correct in naming the current PSO.\n\n                    Agreed Upon Action\n\n                    1) The CAO will update Agency Delegation 12 and PPM 825 for the Chairman\xe2\x80\x99s signature\n                         to address the above exceptions.\n\x0c    Personnel Security Program Still Lacks Importance\n\n                                                The personnel security work in the OCAO is not emphasized as an\n                                                important function for the office. This is based on observations\n                                                including: the specialists sometimes delay or do not always forward\n    OIG Management Letter                       SF-52s to the PSO for security determinations; the PSO is not\n      Suggested Actions                         consistently documenting security determinations; some records in\n                                                the personnel security listings/spreadsheets are inaccurate and\n                                                outdated; the PSO\xe2\x80\x99s performance standards lack rating criteria and\n                                                weight; and, internal control reviews are not being conducted.\n#1 Emphasize to responsible staff that the\nissue of public trust in Agency operations is   Internal Procedures Are Not Always Being Followed\nimportant and hold them accountable for\ntimely, accurate and complete performance.      While procedures require the PSO to review personnel actions to\n                                                determine position sensitivity levels, the results show the PSO is not\n#5 HARD should exercise greater                 consistently receiving and reviewing the position descriptions to\ndiligence in providing necessary information    determine sensitivity levels before actions are taken.\nto the alternate PSO for security determina-\ntion before further action is taken on the      We took a random sample of 10% (five) of the internal actions for the\n                                                last 2 years, as well as the actions for 2 high risk positions. We found\npersonnel request.                              that 6 of the 7 actions reviewed did not evidence staff adherence to\n #4 The PSO or alternate PSO should             OCAO procedures, as follows:\nensure that a system is developed and\nmaintained to accurately reflect all employee                      3 actions did not have a security designation or\n                                                      evidence that the PSO reviewed the action;\nbackground investigations completed and in                         1 action lacked the PSO\xe2\x80\x99s signature, although a\nprocess. Additionally, this system should             security designation was given; and\ntrack when re-investigations should be                             2 actions were signed by the PSO after the\nconducted for applicable employees.                   effective date of the action.\n\n                                            We also reviewed Official Personnel Files (OPFs) of recently hired\n                                            employees (from outside FCA). Of the 38 new hires in our sample,\n                   14 did not have personnel security background requirements because they were interns or\n                   temporary employees. One of the remaining 24 employees did not have the required background\n                   investigation performed.\n\n                   There is no documentation that the PSO made a determination about the need to conduct\n                   investigations on the 5 employees who transferred from other Federal agencies. After an\n                   extensive review, we did find that investigations were not required. While not a requirement,\n                   providing a memo of a transferred employee\xe2\x80\x99s status in their OPF is desirable and practical for\n                   tracking purposes. OPM\xe2\x80\x99s Investigations Service agreed that this practice would enhance the\n                   personnel security function.\n\n                   We reviewed OPFs to determine if the PSO was receiving the SF-52s timely. We did not find\n                   evidence that requests for personnel action ever went through the PSO for three employees. In\n                   nine other cases, the PSO did not receive the SF-52 until 2 \xc2\xbd to 7 \xc2\xbd months after the authorizing\n                   official approved the SF-52.\n\n                   Finally, we looked at the length of time between OPM certifying completion of investigations and\n                   the PSO documenting the determination to the employee or the OPF. The current PSO has been\n                   diligent in reviewing OPM\xe2\x80\x99s investigative reports and completing the process. Delays in only two\n                   cases were attributable to the prior PSO.\n\x0c          Personnel Security Records Were Inaccurate\n\n          The PSO maintains spreadsheets to keep track of background investigations and employee\n          position sensitivity designations. One of the spreadsheets is a \xe2\x80\x9cHigh Risk List\xe2\x80\x9d worksheet that lists\n          all FCA employees with sensitive positions designated as either high or moderate risk. A second\n          spreadsheet \xe2\x80\x9cSensitivity Designation Worksheet\xe2\x80\x9d shows the sensitivity designations and specific\n          numerical ratings for all FCA employees.\n\n          When we compared the two spreadsheets, we found the following inaccuracies on the High Risk\n          List:\n\n                8 employees are on list who are no longer employed at FCA (the oldest separation being in\n                March 2000).\n                3 employees were not listed, but should have been (2 moderate risk and 1 high risk\n                employee),\n                12 employees had incorrect position titles (for example, Field Office Directors still named as\n                Associate Regional Directors)\n                2 employees should not be on the list because they are in low risk positions.\n\n\nAlthough the Sensitivity Designation Worksheet is more up-to-date than the High Risk List, we\nfound:\n\n                many employees have left FCA, but are still on this list,\n                1 employee is not listed at all (although he is on the High Risk List), and\n                1 employee is rated as a moderate risk although she is not on the High Risk List and her\n                position should be low risk.\n\n          The inaccuracies in these spreadsheets indicate a lack of attention to this program and the\n          importance of accurate recordkeeping. We provided a comparison for the sensitive positions to the\n          PSO who made the appropriate corrections.\n\n          Although there are only a few high risk positions requiring 5-year reinvestigations, we did not find a\n          procedure for the PSO to review the high risk positions and track timeframes for performing\n          reinvestigations. If the high risk list was kept up-to-date showing when reinvestigations are\n          required or when a high risk position is vacant, it could be used in the office budget and planning\n          process. This would be useful since high risk position background investigations are the most\n          expensive. Having the PSO provide this information in conjunction with the planning process,\n          would also ensure that a review is done annually to ensure reinvestigations are processed.\n\n          PSO Performance Standards Need Strengthening\n\n          The PSO\xe2\x80\x99s performance standards contain all PSO duties under one bullet for one critical\n          performance element, \xe2\x80\x9cSpecial Personnel Programs.\xe2\x80\x9d This bullet is one of eight bullets for this\n          element and does not contain performance criteria except for the PSO\xe2\x80\x99s task of updating policies\n          and procedures within one month. Having the PSO duties as only one element among many\n          reduces the importance of the function by not offering it the appropriate weight. Although time\n          spent on the PSO duties is not significant, the work is and should be elevated to reflect its\n          significance to the Agency.\n\x0c         Internal Control Reviews Are Not Being Conducted\n\n         The internal OCAO policy for personnel security provides for internal control reviews that should\n         ensure the program is running effectively. The policy states \xe2\x80\x9cThe PSO and/or alternate PSO will\n         engage in a quarterly review of personnel security files to determine the nature of any outstanding\n         investigations.\xe2\x80\x9d However, the PSO stated he does not review the files quarterly as a matter of\n         practice. Rather, he updates the spreadsheets when new actions occur. Additionally, there is no\n         process to remove employees who have left the Agency. Because reviews of the records are not\n         done as a whole, the spreadsheets have many inaccuracies as described earlier.\n\n         The OCAO policy also provides for an annual audit of the program by the alternate PSO.\n         According to policy, the findings of the annual audit are reported to the Chief, HARD (now the Chief\n         Administrative Officer) with any recommendations for corrective measures. However, the Alternate\n         PSO has not performed the required audit. The management control plan for OCAO dated\n         July 10, 2000, labeled the personnel security function \xe2\x80\x9clow risk\xe2\x80\x9d and is not due for a review until the\n         third quarter of fiscal year 2003. This is another indicator that the personnel security program lacks\n         appropriate emphasis.\n\n         PSO Has Not Been Provided Sufficient Training\n\n         The current PSO had some on-the-job training from the former PSO before he retired. The PSO\n         stated that he has only been assigned these duties for about a year and feels that he is not\n         seasoned or fully knowledgeable/experienced in this area. The current PSO developed contacts\n         with the OPM Investigations Service. He also receives updates on changes in the regulations\n         about personnel security issues and guidelines. However, the PSO\xe2\x80\x99s only formal training was a\n         one-day conference that provides updates on personnel security issues.\n\n         Agreed Upon Action\n\n         2) The CAO will place greater emphasis on the personnel security program by:\n\n             a) creating a performance measure for the personnel security function\n                using criteria encompassing the timeliness, thoroughness and\n                accuracy of personnel security reviews and records.\n             b) requiring the PSO to provide documentation in the OPFs of all new\n                hires showing the security status of the employee.\n             c) creating a separate critical element in the PSO\xe2\x80\x99s performance standards\n                with specific criteria for all PSO responsibilities.\n             d) creating an element in all other appropriate OCAO staff\xe2\x80\x99s performance standards\n                addressing their responsibilities to the personnel security function.\n             e) auditing the personnel security program each year covering areas\n                described in the findings above.\n             f) providing training for the PSO on personnel security responsibilities,\n                including legal updates and personnel security adjudications.\n\nPosition Sensitivity Levels Need Updating\n\n         The former PSO completed a review of position sensitivity levels for FCA employees in the\n         summer of 1999. As a result, the Field Office Directors\xe2\x80\x99 positions were upgraded from low risk to\n         moderate risk. The Equal Employment Opportunity manager was also upgraded from low risk to\n         moderate risk. After the review, the former PSO, in consultation with the Office of General\n         Counsel, determined the Designated Agency Ethics Officer position did not require updating and is\n\x0c                   still rated low risk. Also, one Executive Assistant was added to the high risk list, and now all Board-\n                   level assistants are on that list.\n\n                                               Although a review was done in the summer of 1999, our review found\n                                               there are now other positions needing elevation from being low risk.\n                                               The chart in Appendix 1 highlights several inconsistencies that should\n   OIG Management Letter                       be addressed. For example, one of the two Executive Assistants to the\n     Suggested Actions                         Chief Operating Officer (COO) has a moderate risk and the other has a\n                                               low risk designation. The position with the low risk designation has\n                                               access to the same or more sensitive information since the employee in\n#6        The Field Office Director            this position is involved in policy and strategic direction issues.\npositions should be reevaluated for risk\nlevel classifications.                         There are other positions not evident on the chart that should be\n                                               addressed. We noted many of the FCA computer specialist positions\n#7 A review of all FCA positions,              are considered moderate risk. In our opinion, the Information\nespecially those with higher levels of         Technology (IT) examiners have the same risk factors as the computer\nresponsibility and access to sensitive         specialists and their sensitivity levels should be upgraded. We did not\ninformation, should be completed.              do a full review of all positions in FCA. We mentioned these positions\n                                               because they came to our attention when reviewing the PSO position\n                                               sensitivity lists. These positions reiterate the need for more detailed\n                                               reviews of internal position changes by the specialists and the PSO.\n\n                                              The internal policy of OCAO is that specialists are to discuss personnel\n                   security issues with managers. Although we did not interview the specialists about this\n                   requirement, informal discussions with managers revealed that personnel security or risk factors of\n                   positions are not discussed during the recruiting process or when positions are upgraded because\n                   of new responsibilities.\n\n                   Agreed Upon Actions\n\n                   3) The CAO will develop a process to validate position risk ratings periodically. As part of\n                        this process, the CAO will review all updated or newly created positions in the last two\n                        years, including the Executive Assistant to the COO position and the IT examiner\n                        positions to determine appropriate risk levels.\n\n                   4) The PSO should provide the specialists a short checklist that describes position\n                        sensitivity issues to discuss with managers and require that this checklist should be\n                        discussed with managers and the results provided to the PSO for any new or updated\n                        position description.\n\n    Personnel Security Duties Are Not Being Performed for All Workers\n\n                   FCA Board Members\n\n                   The Board members were not part of our review because they did not fall under the scope of our\n                   sample. However, we noted that the Board members were designated as the only employees with\n                   \xe2\x80\x9csubstantial\xe2\x80\x9d impact on the Agency\xe2\x80\x99s programs. The PSO records showed they were high risk and\n                   their investigations were to be done by the Federal Bureau of Investigation. However, there was\n                   no documentation concerning the status of their background investigations. The PSO stated FCA\n                   does not conduct any personnel security work concerning the Board members\xe2\x80\x99 background\n                   investigations.\n\x0cThe Board members are presidentially appointed and do not fall under normal civil service rules.\nHowever, they are employees of the Agency and their security status should be verified, whether\ninitiated by FCA or previously conducted by the White House Security Office. Most likely, Board\nmembers receive detailed background investigations before being confirmed. However, according\nto the PSO, FCA does not know the status of the Board members\xe2\x80\x99 security clearance. We\ncontacted OPM\xe2\x80\x99s Investigations Service and confirmed it is the Agency\xe2\x80\x99s responsibility to verify that\nbackground investigations were completed and the level of the investigation was adequate for the\npositions that the presidentially appointed personnel hold. Further, the Investigations Service\nstated that the Board members should be re-investigated if FCA\xe2\x80\x99s policy is to do periodic\nre-investigations of high risk positions.\n\nThe Board members should have the highest level security clearance available in order to be able\nto respond to any call placed upon them by the Administration. Inadequate security clearances\ncould result in an embarrassment to the Board member. For example, they may not be able to\naccess information that is critical to a policy decision or they could be rejected from meetings and\nsites with sensitive or classified information due to their lack of security clearance. Such situations\nmight occur, especially in times of national emergency. According to OPM\xe2\x80\x99s Investigations\nService, it is standard practice to have the head of the agency hold a Top Secret security\nclearance.\n\nFCA has one employee with a Top Secret security clearance, which allows her access to classified\ninformation. (Top Secret security clearances are slightly different than the process for public trust\npositions.) However, she would not be able to share this information with the head of FCA if he\ndoes not have the appropriate clearance. Nor can the PSO adjudicate her re-investigation if he\ndoes not also hold that level of clearance. The PSO needs to be knowledgeable about the Board\nmembers investigations and level of security clearance. To provide appropriate service to the\nBoard and the Agency, the PSO should obtain appropriate high-level security clearance\ndesignations for the Board members, and himself, if he is to adjudicate high-level security\nclearances.\n\nFCA Contractors\n\nFinally, we asked what the procedures were for contractor background investigations or if FCA had\nconducted any such investigations. The PSO stated he was not aware of ever having a\nbackground investigation done for a contractor. We discussed this issue with the contracting\nspecialist. He stated that he is unaware of any procedures for conducting background\ninvestigations on contract employees, except in the case of personal service contracts. FCA has\nnot had a personnel service contract for several years. The contract specialist said that as a part of\nhis contracting procedures he does do reference checks on contractors. However, he has never\nconsulted with the PSO about possibly conducting a background investigation. The Federal\nAcquisition Regulations state that agency procedures should be followed. Although this area may\nnot be common since FCA rarely enters into sensitive contracts, FCA should have a process to\ndecide if a background investigation should be conducted for contract employees. The most\ncommon basis for such background investigations would be contractors who had access to\nsensitive information or unescorted access in an FCA office or building.\n\nAgreed Upon Actions\n\n5) The PSO will ensure appropriate security clearances are acquired and documented for\n    Board members.\n\n6) The PSO and contracting officer will establish procedures for determining if\n    background investigations are needed for contract personnel.\n\x0c'